package org.radarbase.jersey.auth.jwt;

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.AlgorithmMismatchException;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.exceptions.SignatureVerificationException;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.auth0.jwt.interfaces.Verification;
import jakarta.ws.rs.container.ContainerRequestContext;
import jakarta.ws.rs.core.Context;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.PublicKey;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.X509EncodedKeySpec;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Iterator;
import java.util.List;
import kotlin.Metadata;
import kotlin.collections.CollectionsKt;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.SourceDebugExtension;
import kotlin.text.Regex;
import kotlin.text.StringsKt;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.radarbase.auth.exception.ConfigurationException;
import org.radarbase.jersey.auth.Auth;
import org.radarbase.jersey.auth.AuthConfig;
import org.radarbase.jersey.auth.AuthValidator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* compiled from: EcdsaJwtTokenValidator.kt */
@Metadata(mv = {1, 9, 0}, k = 1, xi = 48, d1 = {"��:\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010 \n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0010\u000e\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\u0018�� \u00122\u00020\u0001:\u0001\u0012B\u000f\u0012\b\b\u0001\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J\u0018\u0010\b\u001a\u00020\t2\u0006\u0010\n\u001a\u00020\u000b2\u0006\u0010\f\u001a\u00020\u000bH\u0002J\u001a\u0010\r\u001a\u0004\u0018\u00010\u000e2\u0006\u0010\u000f\u001a\u00020\u000b2\u0006\u0010\u0010\u001a\u00020\u0011H\u0016R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n��R\u0014\u0010\u0005\u001a\b\u0012\u0004\u0012\u00020\u00070\u0006X\u0082\u0004¢\u0006\u0002\n��¨\u0006\u0013"}, d2 = {"Lorg/radarbase/jersey/auth/jwt/EcdsaJwtTokenValidator;", "Lorg/radarbase/jersey/auth/AuthValidator;", "config", "Lorg/radarbase/jersey/auth/AuthConfig;", "(Lorg/radarbase/jersey/auth/AuthConfig;)V", "verifiers", "", "Lcom/auth0/jwt/JWTVerifier;", "parseKey", "Ljava/security/PublicKey;", "publicKey", "", "algorithm", "verify", "Lorg/radarbase/jersey/auth/Auth;", "token", "request", "Ljakarta/ws/rs/container/ContainerRequestContext;", "Companion", "radar-jersey"})
@SourceDebugExtension({"SMAP\nEcdsaJwtTokenValidator.kt\nKotlin\n*S Kotlin\n*F\n+ 1 EcdsaJwtTokenValidator.kt\norg/radarbase/jersey/auth/jwt/EcdsaJwtTokenValidator\n+ 2 _Collections.kt\nkotlin/collections/CollectionsKt___CollectionsKt\n*L\n1#1,115:1\n1549#2:116\n1620#2,3:117\n1549#2:120\n1620#2,3:121\n1549#2:124\n1620#2,3:125\n*S KotlinDebug\n*F\n+ 1 EcdsaJwtTokenValidator.kt\norg/radarbase/jersey/auth/jwt/EcdsaJwtTokenValidator\n*L\n42#1:116\n42#1:117,3\n45#1:120\n45#1:121,3\n66#1:124\n66#1:125,3\n*E\n"})
/* loaded from: input_file:org/radarbase/jersey/auth/jwt/EcdsaJwtTokenValidator.class */
public final class EcdsaJwtTokenValidator implements AuthValidator {

    @NotNull
    public static final Companion Companion = new Companion(null);

    @NotNull
    private final AuthConfig config;

    @NotNull
    private final List<JWTVerifier> verifiers;

    @NotNull
    private static final Logger logger;

    /* compiled from: EcdsaJwtTokenValidator.kt */
    @Metadata(mv = {1, 9, 0}, k = 1, xi = 48, d1 = {"��\u0014\n\u0002\u0018\u0002\n\u0002\u0010��\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0003\b\u0086\u0003\u0018��2\u00020\u0001B\u0007\b\u0002¢\u0006\u0002\u0010\u0002R\u0011\u0010\u0003\u001a\u00020\u0004¢\u0006\b\n��\u001a\u0004\b\u0005\u0010\u0006¨\u0006\u0007"}, d2 = {"Lorg/radarbase/jersey/auth/jwt/EcdsaJwtTokenValidator$Companion;", "", "()V", "logger", "Lorg/slf4j/Logger;", "getLogger", "()Lorg/slf4j/Logger;", "radar-jersey"})
    /* loaded from: input_file:org/radarbase/jersey/auth/jwt/EcdsaJwtTokenValidator$Companion.class */
    public static final class Companion {
        private Companion() {
        }

        @NotNull
        public final Logger getLogger() {
            return EcdsaJwtTokenValidator.logger;
        }

        public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
            this();
        }
    }

    public EcdsaJwtTokenValidator(@Context @NotNull AuthConfig authConfig) {
        char[] cArr;
        Intrinsics.checkNotNullParameter(authConfig, "config");
        this.config = authConfig;
        ArrayList arrayList = new ArrayList();
        List<String> jwtECPublicKeys = this.config.getJwtECPublicKeys();
        if (jwtECPublicKeys != null) {
            List<String> list = jwtECPublicKeys;
            ArrayList arrayList2 = new ArrayList(CollectionsKt.collectionSizeOrDefault(list, 10));
            Iterator<T> it = list.iterator();
            while (it.hasNext()) {
                PublicKey parseKey = parseKey((String) it.next(), "EC");
                Intrinsics.checkNotNull(parseKey, "null cannot be cast to non-null type java.security.interfaces.ECPublicKey");
                arrayList2.add(Algorithm.ECDSA256((ECPublicKey) parseKey, (ECPrivateKey) null));
            }
            arrayList.addAll(arrayList2);
        }
        List<String> jwtRSAPublicKeys = this.config.getJwtRSAPublicKeys();
        if (jwtRSAPublicKeys != null) {
            List<String> list2 = jwtRSAPublicKeys;
            ArrayList arrayList3 = new ArrayList(CollectionsKt.collectionSizeOrDefault(list2, 10));
            Iterator<T> it2 = list2.iterator();
            while (it2.hasNext()) {
                PublicKey parseKey2 = parseKey((String) it2.next(), "RSA");
                Intrinsics.checkNotNull(parseKey2, "null cannot be cast to non-null type java.security.interfaces.RSAPublicKey");
                arrayList3.add(Algorithm.RSA256((RSAPublicKey) parseKey2, (RSAPrivateKey) null));
            }
            arrayList.addAll(arrayList3);
        }
        String jwtKeystorePath = this.config.getJwtKeystorePath();
        if (jwtKeystorePath != null) {
            try {
                KeyStore keyStore = KeyStore.getInstance("pkcs12");
                InputStream newInputStream = Files.newInputStream(Paths.get(jwtKeystorePath, new String[0]), new OpenOption[0]);
                String jwtKeystorePassword = this.config.getJwtKeystorePassword();
                if (jwtKeystorePassword != null) {
                    cArr = jwtKeystorePassword.toCharArray();
                    Intrinsics.checkNotNullExpressionValue(cArr, "toCharArray(...)");
                } else {
                    cArr = null;
                }
                keyStore.load(newInputStream, cArr);
                PublicKey publicKey = keyStore.getCertificate(this.config.getJwtKeystoreAlias()).getPublicKey();
                Intrinsics.checkNotNull(publicKey, "null cannot be cast to non-null type java.security.interfaces.ECPublicKey");
                Algorithm ECDSA256 = Algorithm.ECDSA256((ECPublicKey) publicKey, (ECPrivateKey) null);
                Intrinsics.checkNotNull(ECDSA256);
                arrayList.add(ECDSA256);
            } catch (Exception e) {
                throw new IllegalStateException("Failed to initialize JWT ECDSA public key", e);
            }
        }
        if (arrayList.isEmpty()) {
            throw new ConfigurationException("No verification algorithms given");
        }
        logger.info("Verifying JWTs with " + arrayList.size() + " algorithms");
        ArrayList arrayList4 = arrayList;
        ArrayList arrayList5 = new ArrayList(CollectionsKt.collectionSizeOrDefault(arrayList4, 10));
        Iterator it3 = arrayList4.iterator();
        while (it3.hasNext()) {
            Verification withAudience = JWT.require((Algorithm) it3.next()).withAudience(new String[]{this.config.getJwtResourceName()});
            String jwtIssuer = this.config.getJwtIssuer();
            if (jwtIssuer != null) {
                withAudience.withIssuer(jwtIssuer);
            }
            arrayList5.add(withAudience.build());
        }
        this.verifiers = arrayList5;
    }

    private final PublicKey parseKey(String str, String str2) {
        String obj = StringsKt.trim(new Regex("-----END ([A-Z]+ )?PUBLIC KEY-----").replace(new Regex("-----BEGIN ([A-Z]+ )?PUBLIC KEY-----").replace(str, ""), "")).toString();
        logger.info("Using following public key for algorithm " + str2 + ": \n" + obj);
        try {
            PublicKey generatePublic = KeyFactory.getInstance(str2).generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(obj)));
            Intrinsics.checkNotNullExpressionValue(generatePublic, "generatePublic(...)");
            return generatePublic;
        } catch (Exception e) {
            throw new ConfigurationException(e);
        }
    }

    @Override // org.radarbase.jersey.auth.AuthValidator
    @Nullable
    public Auth verify(@NotNull String str, @NotNull ContainerRequestContext containerRequestContext) {
        Intrinsics.checkNotNullParameter(str, "token");
        Intrinsics.checkNotNullParameter(containerRequestContext, "request");
        String headerString = containerRequestContext.getHeaderString("RADAR-Project");
        Iterator<JWTVerifier> it = this.verifiers.iterator();
        while (it.hasNext()) {
            try {
                DecodedJWT verify = it.next().verify(str);
                Intrinsics.checkNotNull(verify);
                return new JwtAuth(headerString, verify);
            } catch (JWTVerificationException e) {
                logger.warn("JWT verification exception", e);
                return null;
            } catch (SignatureVerificationException e2) {
            } catch (AlgorithmMismatchException e3) {
            }
        }
        return null;
    }

    @Override // org.radarbase.jersey.auth.AuthValidator
    @Nullable
    public String getToken(@NotNull ContainerRequestContext containerRequestContext) {
        return AuthValidator.DefaultImpls.getToken(this, containerRequestContext);
    }

    static {
        Logger logger2 = LoggerFactory.getLogger(EcdsaJwtTokenValidator.class);
        Intrinsics.checkNotNullExpressionValue(logger2, "getLogger(...)");
        logger = logger2;
    }
}
